It expects PEM certs, which is correct in your case. The problem is hostname which contains trailing dot, which is not present in the cert used by Quad9. Unfortunatelly DNS convention and PKI convention differs... It works for me when I use this command: